:.: Solokeys

I bought a few months ago a Solokeys to manage my ssh sessions, like it says in their website, Solokeys is "The first open-source FIDO2 security key".

SoloKeys

There are a lot of versions of them (check on the website for more options), anyway I got an "old" one without nfc. Let's plug it in directly into the usb port, and a quick dmesg(8) will show you something like this:

uhidev3 at uhub3 port 3 configuration 1 interface 0 "SoloKeys Solo 4.1.5" rev 2.00/1.00 addr 9
uhidev3: iclass 3/0
fido0 at uhidev3: input=64, output=64, feature=0

Now we need to create a pair of ed25519-sk keys using ssh-keygen(1) (read the man for more details):

[gonzalo@musashi] /tmp> $ ssh-keygen -t ed25519-sk 
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
You may need to touch your authenticator (again) to authorize key generation.
Enter file in which to save the key (/home/gonzalo/.ssh/id_ed25519_sk): solokeys 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in solokeys
Your public key has been saved in solokeys.pub
The key fingerprint is:
SHA256:03+sJvQSkE3fQF82yASmBGLsUFViJbj5sIcSnZwAWfU gonzalo@musashi
The key's randomart image is:
+[ED25519-SK 256]-+
|   .*=.+oo +=...o|
|   o.o+.+ + .+ o.|
|    +o=.oE . o.  |
|   +.+.=o.. . .  |
|    = o S..      |
|   o +   .o. .   |
|    o    . o. o  |
|          o oo   |
|           +.    |
+----[SHA256]-----+

The Solokey has a little button that you need to press on this moment "You may need to touch your authenticator to authorize key generation.", after that point, it is like any other key pair, you copy the generated .pub to the other machine in your ~./.ssh/authorized_keys and you are ready to go:

[gonzalo@musashi] /tmp> $ ssh -i solokeys _firefox@localhost 
Host key fingerprint is SHA256:CWI4pF7ORnDaXzh1911342DsbpGWG8jISYP2x/biAElo
+--[ED25519 256]--+
| ...   .o+ o  .*=|
| o=.  E.o = = B*.|
|..o+o=.o o + O.o.|
|. =oo.+...+ + o o|
| . + . .S  o + . |
|  .         .    |
|                 |
|                 |
|                 |
+----[SHA256]-----+
Confirm user presence for key ED25519-SK SHA256:03+sJvQSkE3fQF82yASmBGLsUFViJbj5sIcSnZwAWfU
User presence confirmed
Last login: Fri Jan  7 20:35:35 2022 from 127.0.0.1
OpenBSD 7.0-current (GENERIC.MP) #239: Fri Jan  7 01:52:50 MST 2022

musashi$

I have a port already of Solo-cli, with which you can configure other options in your Solokey like create a PIN for it, check versions, verify it itself, and so on (check on the github link for more). For now the firmware upgrade is not working because we need udev. Check on the ports@ mailinglist for updates about it.

Just in case you want to do the same with your Yubico, the process it's the same, so shouldn't be a problem.